The Green Sheet Online Edition
January 25, 2016 • Issue 16:01:02
Real capabilities of tokenization in mobile payments
During the first three quarters of 2014, global payment and transaction companies raised a combined $1.18 billion through 75 funding deals (www.finextra.com/news/fullstory.aspx?newsitemid=26797). More and more banks have launched plans to build mobile payments directly into their mobile banking apps. And a broad range of payment options and channels – from Apple Pay to Google Wallet, from Samsung Pay to Visa Checkout – are in the market, vying for majority adoption.
But with the increasing amount of technology developed to create a fast, convenient payment experience and the rising number of high-profile data breaches within the last year, merchants, issuers, payment schemes and consumers are more than ever prioritizing payment and data security.
In the scramble to find new ways of protecting personal details and avoiding embarrassing data breaches, tokenization is being promoted as the defense against mobile payment fraud. Of course, the use of tokens – the process of substituting a sensitive data element with a nonsensitive equivalent – is well respected. Applied to the payment card industry, tokenization has been used as an encryption method for cardholder information post-authorization for many years.
In their most basic form, payment tokens are surrogate values that replace primary account numbers (PANs) and can be used for mobile POS transactions, in-app purchases or online purchases to limit the impact of data breaches or sporadic card theft.
The Payment Security Taskforce (www.pymnts.com/wp-content/uploads/2014/12/US-Payments-Security-Evolution-and-Strategic-Road-Map-for-Release.pdf) defines three different types of payment tokens:
- EMV (Europay, MasterCard and Visa) tokens: Compliant with the EMV Payment Tokenization Specification, developed as a multischeme initiative by Visa, MasterCard and American Express.
- Acquiring tokens: Created by the acquirer, merchant or a Payment Service Provider (PSP) after cardholders present their payment credentials.
- Issuer tokens: Also known as virtual card numbers or alternate PANs, created by issuers to reduce risk in specific use cases.
Token credentials can be limited to use on a specific device, at a specific merchant or for specific types of goods and services. The uses, advantages and disadvantage are diverse. Yet for all the promise of tokenization, it is not above significant criticism.
The first concern is the extent to which tokenization adheres to the Payment Card Industry Data Security Standard. In its most recent guide to the use of tokens, the PCI Security Standards Council discusses the role of tokenization in "reducing the risk of unauthorized disclosure of a PAN" (www.pcisecuritystandards.org/documents/Tokenization_Product_Security_Guidelines.pdf).
The use of the word "reducing" is critical here, because this is what tokenization does. It reduces risk; it doesn't eliminate it. Of course, the nature of risk is such that it is never entirely eliminated, and it would be unfair to expect otherwise. Yet it is a stark warning that tokenization is not elemental, nor should it be treated as beyond improvement.
Cybercriminals are dynamic in their approach, improving their methods daily, proving that what was once thought to be safe is now breachable. In future years, device proliferation will continue and will expand beyond smartphones into wearables and the Internet of things.
Tokenization has a critical role to play, but only as part of a multilayered security solution that also incorporates other protective methods such as end-to-end encryption, biometrics and strong user authentication, the latter of which can be implemented as a "step-up" security method by merchants, under predefined circumstance to maintain good customer experiences.
We may hear that security, although essential, slows down the innovation process. Innovation cannot be stopped by security, but security itself needs to find new, multilayered ways to help the payments ecosystem with compliance, risk and fraud reduction.
The payments industry needs further education around tokenization and understanding that although popular now, tokenization cannot be the only protection in place to ensure that sensitive information, like payment card data, personally identifiable data, or financial account data, remains safe.
David Poole, Business Development Director at myPINpad (www.mypinpad.com), has spent more than 20 years at the forefront of new technology and payment processes. In previous roles he spearheaded the integration of electronic payments with custom POS solutions in hospitality and retail both in the U.K. and the United States. Before joining myPINpad in 2013, David was an executive at Miura, a technology company founded to reshape electronic payments. He oversaw the commercial success of the company during the three years he held this position. He can be reached at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.